Common use of Security Certifications Clause in Contracts

Security Certifications. CONTRACTOR represents and warrants to AGENCY that CONTRACTOR incorporates the following in the development, management and delivery of its information security management services: (i) ISO (International Organization for Standardization) and IEC (International Electrotechnical Commission) ISO/IEC 27000, series of Information Security Management Systems standards ("ISO Security Standards"), (ii) SSAE 16 (Statement on Standards for Attestation Engagements, and (iii) Payment Card Industry Data Security Standard (PCI DSS). If CONTRACTOR is, or if and when CONTRACTOR becomes certified under the ISOSecurity Standards or other security services standard, CONTRACTOR shall maintain such certification(s) on an on-going basis and CONTRACTOR shall provide AGENCY with a copy of such certification(s) upon request. CONTRACTOR shall provide AGENCY with full and complete copies of any ISO Security Standards audits and reviews, SOC 1 reports, SOC 2, reports, and other security audits, reports and reviews, whether conducted internally by CONTRACTOR or through a Third Party, within five (5) days of a request by AGENCY and within twenty (20) days of CONTRACTOR 's receipt of such audits, reports and reviews. If there are deficiencies cited and/or recommendations made, the CONTRACTOR Information Security Officer, the CONTRACTOR Executive Sponsor and other appropriate personnel from CONTRACTOR shall meet with AGENCY to review the deficiencies and recommendations and develop a plan of action to address such items.